CVE-2019-11216

Sažetak

BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.

Reference

http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html
http://seclists.org/fulldisclosure/2019/Dec/7
https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html

CVSS

Base:	5.5
Impact:	4.9
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:N/A:P

Zadnje važnije ažuriranje

13-12-2019 - 21:37

Objavljeno

04-12-2019 - 20:15